New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 608104: Security: Heap-use-after-free in RuntimeCustomBindings::GetExtensionViews

Reported by rob@robwu.nl, Apr 29 2016 Project Member

Issue description

Chrome version: 50.0.2661.75

RuntimeCustomBindings::GetExtensionViews retrieves a vector of RenderFrame*s of the current extension, and stores each item in a v8::Array. But the extension can intercept the setter for a numeric index (e.g. 0), destroy the RenderFrame and cause a UAF. Oops.

To reproduce, just load the attached extension (manifest.json & background.js).
The extension does not need any permissions.
 
manifest.json
162 bytes View Download
background.js
1.7 KB View Download
asan-uaf-getViews-50.0.2661.75.log
27.7 KB View Download

Comment 1 by rob@robwu.nl, Apr 30 2016

Cc: rdevlin....@chromium.org
Owner: rob@robwu.nl
Status: Started (was: Unconfirmed)
Patch: https://codereview.chromium.org/1935953002/ (locally verified)

Comment 2 by rsesek@chromium.org, May 2 2016

Labels: Security_Severity-High M-50 Security_Impact-Stable Pri-1

Comment 3 by bugdroid1@chromium.org, May 2 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aa7a889002dd7a1288cc5e962086e517131fb01e

commit aa7a889002dd7a1288cc5e962086e517131fb01e
Author: rob <rob@robwu.nl>
Date: Mon May 02 16:18:37 2016

Create array of extension views without side effects

BUG= 608104 

Review-Url: https://codereview.chromium.org/1935953002
Cr-Commit-Position: refs/heads/master@{#390961}

[modify] https://crrev.com/aa7a889002dd7a1288cc5e962086e517131fb01e/extensions/renderer/runtime_custom_bindings.cc

Comment 4 by rob@robwu.nl, May 3 2016

Labels: Merge-Request-51
Status: Fixed (was: Started)

Comment 5 by tin...@google.com, May 3 2016

Labels: -Merge-Request-51 Merge-Approved-51 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M51 (branch: 2704)

Comment 6 by gov...@chromium.org, May 3 2016

Please merge your change to M51 branch 2704 by 4:00 PM PST today so we can take it for this week beta release tomorrow.Thank you.

Comment 7 by ClusterFuzz, May 3 2016

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 8 by bugdroid1@chromium.org, May 3 2016

Project Member
Labels: -merge-approved-51 merge-merged-2704
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3d0effb3db93713cafeea3bc81231403b5cba018

commit 3d0effb3db93713cafeea3bc81231403b5cba018
Author: Rob Wu <rob@robwu.nl>
Date: Tue May 03 21:23:08 2016

Create array of extension views without side effects

BUG= 608104 

Review-Url: https://codereview.chromium.org/1935953002
Cr-Commit-Position: refs/heads/master@{#390961}
(cherry picked from commit aa7a889002dd7a1288cc5e962086e517131fb01e)

Review URL: https://codereview.chromium.org/1948773002 .

Cr-Commit-Position: refs/branch-heads/2704@{#362}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[modify] https://crrev.com/3d0effb3db93713cafeea3bc81231403b5cba018/extensions/renderer/runtime_custom_bindings.cc

Comment 9 by timwillis@google.com, May 9 2016

Labels: reward-topanel

Comment 10 by rob@robwu.nl, May 29 2016

Labels: -M-50 M-51

Comment 11 by timwillis@google.com, May 31 2016

Labels: Release-1-M51

Comment 12 by timwillis@google.com, Jun 6 2016

Labels: -Security_Severity-High Security_Severity-Medium
Updating severity.

Comment 13 by timwillis@google.com, Jun 6 2016

Labels: -reward-topanel reward-1500 reward-unpaid CVE-2016-1700
$1,500 here Rob ($1000 for the report, +$500 for the patch). Cheers as always!

Comment 14 by timwillis@google.com, Jun 8 2016

Labels: -reward-unpaid reward-inprocess

Comment 15 by sheriffbot@chromium.org, Aug 9 2016

Project Member
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 17 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 18 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 19 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment